In the Linux kernel, the following vulnerability has been resolved:
arm64: Reserve an extra page for early kernel mapping
The final part of [data, end) segment may overflow into the next page of initpgend[1] which is the gap page before earlyinitstack[2]:
[1] crasharm64v9.0.1> vtop ffffffed00601000 VIRTUAL PHYSICAL ffffffed00601000 83401000
PAGE DIRECTORY: ffffffecffd62000 PGD: ffffffecffd62da0 => 10000000833fb003 PMD: ffffff80033fb018 => 10000000833fe003 PTE: ffffff80033fe008 => 68000083401f03 PAGE: 83401000
PTE PHYSICAL FLAGS
68000083401f03 83401000 (VALID|SHARED|AF|NG|PXN|UXN)
PAGE PHYSICAL MAPPING INDEX CNT FLAGS
fffffffec00d0040 83401000 0 0 1 4000 reserved
[2] ffffffed002c8000 (r) pidata ffffffed0054e000 (d) pibssstart ffffffed005f5000 (b) __piinitpg_dir ffffffed005fe000 (b) _piinitpgend ffffffed005ff000 (B) earlyinitstack ffffffed00608000 (b) piend
For 4K pages, the early kernel mapping may use 2MB block entries but the kernel segments are only 64KB aligned. Segment boundaries that fall within a 2MB block therefore require a PTE table so that different attributes can be applied on either side of the boundary.
KERNELSEGMENTCOUNT still correctly counts the five permanent kernel VMAs registered by declarekernelvmas(). However, since commit 5973a62efa34 ("arm64: map [_text, _stext) virtual address range non-executable+read-only"), the early mapper also maps [_text, stext) separately from [stext, etext). This adds one more early-only split and can require one more page-table page than the existing EARLYSEGMENTEXTRAPAGES allowance reserves.
Increase the 4K-page early mapping allowance by one page to cover that additional split.
[catalin.marinas@arm.com: rewrote part of the commit log] [catalin.marinas@arm.com: expanded the code comment]
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53288.json",
"cna_assigner": "Linux"
}